Re: Default password hash

On Mon, Jun 11, 2012 at 11:44 AM, Lev Serebryakov <lev@freebsd.org> wrote:
> Hello, Simon.
> You wrote 10 =D0=B8=D1=8E=D0=BD=D1=8F 2012 =D0=B3., 14:02:50:
>
> SLBN> Has anyone looked at how long the SHA512 password hashing
> SLBN> actually takes on modern computers?
> =C2=A0Modern =C2=A0computers =C2=A0are =C2=A0not what should you afraid. =
Modern GPUs are.
> And they are incredibly fast in calculation of MD5, SHA-1 and SHA-2.
>
> =C2=A0Modern key-derivation schemes must be RAM-heavy, not CPU-heavy.

But the modern CPU's will limit the number of rounds you can use for a
hash (if you use same system as md5crypt), as you can't let users wait
10+ seconds to check their password.

> =C2=A0And =C2=A0 I =C2=A0 don't =C2=A0 understand, =C2=A0 why =C2=A0shoul=
d =C2=A0we =C2=A0use =C2=A0our =C2=A0home-grown
> "strengthening" algorithms instead of "standard" choices: PBKDF2[1],
> bcrypt[2] and (my favorite) scrypt[3].

Recall that FreeBSD's MD5 strengthening probably predates most of the
other systems by a while (I'm too lazy to look it up).

That said, I generally agree we should go with something standard or
existing unless there is a very good reason not to.

PBKDF2 / RFC2898 is what GELI uses (which I mentioned previously).

> [1] http://tools.ietf.org/html/rfc2898
> [2] http://static.usenix.org/events/usenix99/provos/provos_html/node1.htm=
l
> [3] http://www.tarsnap.com/scrypt.html

--=20
Simon
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"